intra.work website and mobile apps (collectively known here as ´intra.work Services´) is offered by intraWork AS (intraWork). intraWork has contracted intraHouse AS (intraHouse) as operator of the intra.work Services as well as perform the required duties as their Data Controller. intraHouse will process personal data only for purposes that are objectively justified by intra.work Services and to perform the processing in accordance with privacy rights and regulations, including the need to protect personal integrity and private life and to ensure that personal data are of adequate quality.
Further it is the policy of both intraWork and intraHouse to adhere to local data privacy legislation as well as corporate policies and procedures and applicable privacy directives.
Processing may include collection, recording, alignment, storage, transfer and disclosure or a combination thereof. intra.work Services process personal data both as a processor and as a controller, as defined in the European General Data Protection Regulation (GDPR). For more information, including procedures involving the management of your personal data, please visit intraHouse´s Data Protection Policy here.
2. Categories of Personal data
The personal data are related to employees, customers, and customers of the customers, suppliers, complainants, correspondence, enquiries, visitors on intra.work Services´ webpages, and data subjects whose personal data is controlled by any of those listed.
intra.work Services processes:
Personal data on behalf of intra.work Services’ customers and
Personal data where intra.work Services is data controller, which may include:
Personal data on employees
Information and assessments connected to other categories of personal data. It is the policy of intra.work Services to limit these data only to include contact details, strictly professional information and information related to the activities intra.work Services have performed in relation to the persons concerned. intra.work Services may collect, store, use and transfer personal data for specifically expressed purposes when the user visits intra.work Services’ internet page. Such purposes are in general daily operation of the system and communication.
3. Principle rules
When processing personal data intra.work Services will fulfill obligations:
- towards the data subjects
- towards public authorities; and
towards customers and other controllers than intra.work Services with regard to how the processing is carried out.
The obligations are further detailed below.
In relation to the data subject there are provisions in the applicable personal data act stipulating conditions for authorizing the processing. Consent from the data subject is normally a sufficient authorization. Dependent upon the data being sensitive or not, other conditions may authorize the processing. Furthermore, intra.work Services have an obligation to provide information to the data subject and upon request to provide access to the data. To ensure that personal data are of adequate quality, deficient personal data may be rectified.
In relation to the public authorities the applicable Personal Data Act contains an obligation to give notification and - for some processing - an obligation to obtain a license.
When intra.work Services is providing services to customers that include processing of personal data, such processing can only take place when there is a contractual basis for such processing.
As regards the processing itself there are obligations with regard to data security and internal control. Organizational, physical and technical security measures shall be implemented to ensure adequate level of data security. The measures shall be in proportion to the probability and consequences of any breaches of security in order to prevent loss of life or health, economical loss or loss of reputation and personal integrity. The use of external resources to process personal data may be subject to specific provision of applicable Personal Data Act, as well as the transfer of data to other countries. intra.work Services will delete personal data when all purposes of the processing of the personal data are fulfilled. The retention time of each category of personal data is assessed in light of practical, technical and other considerations.
4. Audit programme
In order to verify that intra.work Services’ processing meets data protection and privacy requirements, intra.work Services and intraHouse will conduct audits according to intra.work Services’ standard audit regime.